A critical supply chain flaw in Google’s open source software development tool called Bazel opened the door for hackers to inject malicious code. The command injection vulnerability, according to the researchers, affected the security of millions of projects dependent on Basel, including Kubernetes, Angular, Uber, LinkedIn, Databricks, DropBox, Nvidia and Google.
The flaw was first identified by researchers at Cycode in November, and Google patched it within seven days. In a February 1 blog post, the Cycode Research Team reveals details about the bug.
“We discovered that the GitHub Actions workflow could have been injected with malicious code due to a command injection vulnerability in one of Bazel’s dependent actions,” wrote Elad Pticha, a researcher with Cycode. “This vulnerability directly affects the software supply chain, potentially allowing malicious actors to inject malicious code into Basel’s code base, create a backdoor, and affect the production environment of anyone using Basel.”
The timeline for the disclosure included Cycode’s bug bounty report to Google on November 1st. Google opened a review of the report on Nov. 7 and pushed a “new commit” update that addresses the bug the next day. On December 5th, a “pull request” fully resolved the bug, and a week later Cycode was awarded a $13,337 bug bounty by Google.
Breaking the bug
Pticha wrote that Google acknowledged the “critical importance of the vulnerability.” The crux of the problem, the researchers wrote, was related to the use of GitHub Custom Actions — a “versatile approach to streamlining” the software development workflow — and the use of what’s called a cherry-picker workflow.
Cherry-picker workflow describes a type of command that allows arbitrary Git commits to be picked by reference and added to the current working HEAD or code branch in the development environment, as described by Atlassian.
“Custom actions can be compared to functions called inside code, where we use our own functions and import third-party ones,” Pticha wrote. Actions include Docker, JavaScript, and Composite.
“Custom actions put significant strain on an organization’s software supply chain. A few lines of code in a top-level workflow can turn into thousands or even millions of lines of code, many of which we may not even be aware of,” he said. wrote.
Using GitHub Actions—a continuous integration and continuous delivery (CI/CD) platform for automating the build, test, and deployment of the software development lifecycle—Cycode researchers were able to identify how a command injection vulnerability could target a cherry-picking workflow.
Actions, Pticha wrote, use programs written in languages ”such as JavaScript and Python, and use libraries from various package managers such as NPM or PyPI, forming an extensive chain of dependencies.”
Cycode researchers were able to obtain Bazel and GitHub tokens by injecting malicious content within system logs. Vulnerabilities in indirect dependencies, such as custom actions, “are difficult to identify because they may reside in different repositories, in other ecosystems, and managed by other maintainers.”
Of the 3.4 million workflows in public repositories, almost all of them (about 98.75%) include one or more custom actions, Pticha writes.